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Abstract. We present a formal tool for verification of multivariate non- 
linear inequalities. Our verification method is based on interval arith- 
metic with Taylor approximations. Our tool is implemented in the HOL 
Light proof assistant and it is capable to verify multivariate nonlin- 
ear polynomial and non-polynomial inequalities on rectangular domains. 
One of the main features of our work is an efficient implementation of 
the verification procedure which can prove non-trivial high-dimensional 
inequalities in several seconds. We developed the verification tool as a 
part of the Flyspeck project (a formal proof of the Kepler conjecture). 
The Flyspeck project includes about 1000 nonlinear inequalities. We suc- 
cessfully tested our method on more than 100 Flyspeck inequalities and 
estimated that the formal verification procedure is about 3000 times 
slower than an informal verification method implemented in CH — h We 
also describe future work and prospective optimizations for our method. 



1 Introduction 

In this paper, we present a tool for formal verification of nonlinear inequalities in 
HOL Light [T] . Our tool can verify multivariate polynomial and non-polynomial 
inequalities on rectangular domains. The verification technique is based on inter- 
val arithmetic with Taylor approximations. A short user manual describing our 
tool is available [2]. Solovyev's thesis [3] contains additional information about 
the verification tool and the corresponding formal techniques. 

Our work is an integral part of the Flyspeck project |4I5) . This project was 
launched in 2003 by T. Hales to produce a complete formal verification of Hales' 
proof of the Kepler conjecture [617] . There are several major computationally 
extensive verification problems in the Flyspeck project. One of these problems 
is a formval verification of about 1000 multivariate nonlinear inequalities. We 
have successfully tested our formal verification tool on several simple Flyspeck 
nonlinear inequalities (we have verified 130 inequalities). In theory, almost all 
Flyspeck inequalities can be verified with our formal verification procedure. A 
rough estimate shows that the current formal procedure is about 3000 times 
slower than the corresponding informal verification algorithm in C++ [8 . With 
this estimate, it will take more than 4 years to verify all Flyspeck nonlinear 
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inequalities formally on a single computer (the informal procedure requires about 
9 hours). 

There exist other formal methods for verification of nonlinear inequalities. 
First of all, general quantifier elimination procedures may be used to solve some 
polynomial inequalities [9110111) . Another method for proving polynomial in- 
equalities is known as sums-of-squares (SOS) method [12] . 

A tool called MctiTarski 13 14 is capable to verify multivariate polynomial 
and non-polynomial inequalities on unbounded domains. It approximates non- 
polynomial functions by suitable polynomial bounds and then applies quantifier 
elimination procedures for resulting polynomials. 

The Bernstein polynomial technique |15j allows to verify multivariate poly- 
nomial inequalities. Each polynomial can be written as a sum of polynomials in 
the Bernstein polynomial basis. Coefficients of this representation give bounds of 
the polynomial itself. A complete formal implementation of this method is done 
in PVS [16]. Non-polynomial inequalities must be first converted into polynomial 
inequalities by finding polynomial bounds. One way to find polynomial bounds 
is to use Taylor model approximations [17]. R. Zumkeller's thesis describes this 
method in details [15] . He also implemented an informal global optimization tool 
based on Bernstein polynomials [18] in Haskell. 

There exists a tool in the PVS proof assistant which uses the same technique 
as our tool (interval arithmetic with Taylor approximations) [19) but this tool 
works only with univariate functions. 

Methods based on quantifier elimination procedures do not scale well when 
the number of variables grows and when inequalities become more complicated. 
The Bernstein polynomial technique works well for polynomial inequalities but 
does not show very good results for inequalities involving special functions in 
high dimensions. 

2 Verification of Nonlinear Inequalities 

2.1 Nonlinear Inequalities and Interval Taylor Approximations 

Consider the problem: prove that 

Vx6M",xeD /(x)<0. 

D is assumed to be a rectangle given by D — {(x\, . . . ,x n ) \ a,i < Xi < bi} — 
[a, b]. We also assume that /(x) is twice continuously differentiable in an open 
domain U D D. 

One way to solve the problem is to consider a finite partition of D = [J^ D 3 
such that each D 3 is rectangular. Also, we assume that f(D 3 ) < where / is 
an interval approximation of / (that is, f(D J ) is the interval corresponding to 
the interval evaluation of f{x\, . . . , x n ) for input intervals Xi £ [af, bj]; clearly, 
f(D) < f(D) < 0). It is easy to see that such a partition always exists 

if / is continuous, f(D) < 0, and / can be arbitrary well approximated by 
/ on sufficiently small domains. (It follows by the compactness argument: for 
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each point x £ D there is a small rectangle such that x G interior(D j ) and 
/(-D 3 ) < 0; D is compact, so there are finitely many rectangles D- 7 such that 

The main difficulty is finding a suitable partition {-D- 7 }. The easiest way is 
the following. Let D° = D and compute f(D a ). If this value is less than 
(in the interval sense), then we are done. Otherwise divide D° into two regions 
D° = D\ U D\. Then repeat the procedure for regions with upper index 1. In 
general, either < or we get D) = D^UD^f 1 . If we divide each region 

such that sizes of new regions become arbitrary small in all dimensions, then the 
process will eventually stop and a suitable partition of D will be found. An easy 
way to achieve this goal is to divide each region in half along the coordinate for 
which its size is maximal, i.e., if Dj = {c^ < Xj < bi] = [a, b] and b m — a m = 

max 4 {6 t - a*}, then set D^+Vv- 1 = [a,b^ m ' v) } and L>^ +1) = [a( m ^,b]. Here, 
y = (o-m J rb m )/2 and sS m ' v ' equals to a with the m-th component replaced by y. 

As the result of the procedure above, we get a finite set of subregions S = 
{D'y} with the property: for each D\ e S cither /(£>*) < or Df = D^UD^+K 
In the last case, the verification relies on a trivial theorem 

D = D l U D 2 A /(Di) < A f(D 2 ) < => f(D) < 0. 

Interval arithmetic works for any continuous function (at least in theory 
where numerical errors are not considered) but it is not very efficient in general. 
This is due to the dependency problem when even a simple function could require 
a lot of subdivisions in order to get the result on the full domain. Even a trivial 
inequality f(x) = x — x < 1 will require subdivisions for the domain x € [0, 1]. 
Indeed, /([0, 1]) = [0, 1] — [0, 1] = [—1, 1]. Of course, we can simplify x — x = 
but it is not possible to do for a function f(x) = x — arctan(x) which has similar 
behaviour near 0. For this function, /([0,1]) = [0,1] — [0,7r/4] = [— 7r/4, 1] and 
we don't get f(x) < 1. One way to decrease the dependency problem is to use 
Taylor approximations for computing bounds of / on a given domain D. 

Fix y e D = [a, b] , then we can write 

n d f 1 ™ d 2 f 

/(x) = /( y ) + farWivi - x i) + 2 Yl dx-dx- ^ Vi ~ x ^ Vl ~ Xj) 

where p € [a, b] . Let w = max{y — a, b — y} (all operations are componentwise) . 
Suppose we have interval bounds for /(y) e [ffJlf], §-(y) G [f\°,f^] and 

S^fc(t) G [fij, fit\ for all t e D. We can write 



Vxe£, /(x)</(y)+^ 



dx t yy> 
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Absolute values of intervals are denned by \[a, b] \ — max{-o, b}. 

Let's see how well this approximation works on examples. Again, take f(x) = 
x - x and D = [0, 1]. We compute f'(x) = 1 - 1 = and f"(x) = 0. Set y = 0.5 
and w = 0.5. Suppose /(0.5) = [0.4,0.6] - [0.4,0.6] = [-0.2,0.2] (we deliberately 
take a very poor interval approximation) , then 

l l 

Vx G [0, 1], f(x) < f(0.5) u + x 0.5 + x °- 5 x °- 5 = °- 2 < L 

i—l i,j= 1 

In the same way, for f(x) = x— arctanx we get f'(x) = 1— jq^, f"(x) = jp^yi- 
If x e [0, 1], then f"(x) e [-2, 0] = [/[?, /ft] and hence |/"(x)| < 2. We compute 

Vx e [0, 1], f(x) < 0.04 + 0.21 x 0.5 + 2 x 0.5 3 < 0.4. 

We see that interval arithmetic with Taylor approximations works much bet- 
ter. Moreover, we don't need to abandon direct interval approximations com- 
pletely: every time when we have to verify whether f(Di) < we can first find 
an interval approximation /(-Dj) and then compute a Taylor approximation. If 
we don't get the inequality in both cases, then we subdivide the domain. 

One simple trick which can be done with both interval and Taylor interval 
approximations is estimation of partial derivatives on a given domain. If it hap- 
pens that fj(Dk) — J^-(-Dfc) < or fj(Dk) > then it will be immediately 
possible to restrict further verifications to the boundary of Dfc = [a, b] . Indeed, 
if fj(Dk) < and f{D}-\ Xj=aj ) < then f(Dk) < since the function is decreas- 
ing along the j-th coordinate and its maximal value is attained at Xj — cij . The 
same is true for increasing functions (consider Dk\ Xj =bj)- Moreover, if {xj = aj} 
({xj = bj}) is not on the boundary of the main domain Dk, then it is possible 
to completely ignore any further verifications for the region D^. Indeed, if the 
restriction of Dk is not on the boundary of the original domain, then there is 
another subdomain Dj such that the restriction of Dk is a subset of Dj and the 
inequality is true on Dj. However, we need to be careful. Consider an example. 
Suppose f(x) = —x 2 — 1 and D = [—1, 1]. Assume that we have D\ — [—1, 0] and 
D 2 = [0, 1]. We get f'(x) = —2x > on [—1, 0]. Hence, the function is increasing 
and we can consider the restricted domain {0} which is not on the boundary of 
[— 1, 1]. Also, f'(x) = —2x < on [0, 1] and we again get {0} as the restriction 
of [0, 1]. If we don't continue verifications in both cases, then we will not be able 
to verify the inequality. In order to avoid this problem, we always check a strict 
inequality for decreasing functions, that is, we test if /j(x) > or /j(x) < 0. 

Another trick is to check convexity of a function before subdividing a domain 
Dk- If we need to subdivide Dk and find that fjj(D) = d ®J x . (D) > 0, then 
it is enough to verify f(D k \ Xj=aj ) < and f(D k \ Xj=bj ) < 0. By convexity of / 
(i.e., / attains its maximum on the boundary), we get f{Dk) < from these two 
inequalities. 
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2.2 Solution Certificate Search Procedure 

An informal verification procedure based on the ideas presented above has been 
developed in C++ for informal verification of Flyspeck nonlinear inequalities [8]. 
The starting point of our implementation of a formal procedure for verification of 
nonlinear inequalities is a port of this original C++ program into OCaml. This 
OCaml program informally verifies a given nonlinear inequality on a rectangular 
domain by finding Taylor interval approximations and subdividing domains if 
necessary. The result of this program is just a boolean value: yes or no, the 
inequality true or false (there is the third option: verification could fail due 
to numerical instability or when subdomains become very small without any 
definite results). 

We have modified the OCaml informal verification procedure such that it re- 
turns a partition of the original domain in a special tree-like structure which also 
contains all necessary information about verification steps for each subdomain. 
We call this structure a solution certificate for a given nonlinear inequality. The 
informal procedure is called the solution certificate search procedure. 

A solution certificate is defined with the following OCaml record 

type result_tree = 

I Result_false 

I Result_pass 

I Result_mono of mono_status list * result_tree 

I Result_glue of (int * bool * result_tree * result_tree) 

I Result_pass_mono of mono_status 

I Result_pass_ref of int 

The record mono_status contains monotonicity information (i.e., whether some 
first-order partial derivative is negative or positive). 

A simplified solution certificate search algorithm is given below in OCaml-like 
pseudo code. 

let search f dom = 

let taylor_inteval = {find Taylor approximation of f on dom} 
let bounds = {taylor_interval bounds} 
if bounds >= then 

Result_f alse 
else if bounds < then 

Result_pass 
else 

let d_bounds = {find bounds of partial derivatives} 

let mono = {list of negative and positive partial derivatives} 

if {mono is not empty} then 

let r_dom = {restrict dom using information from mono} 
Result_mono mono (search f r_dom) 

else 

let dd_bounds = {find bounds of second partial derivatives} 
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if {the j-th second partial derivative is non-negative} then 
let doml, dom2 = {restrict dom along j} 
let cl = search f doml 
let c2 = search f dom2 

Result_glue ( j , true, cl, c2) 

else 

let j = {find j such that b_i - a_i is maximal} 
let doml, dom2 = {split dom along j} 
let cl = search f doml 
let c2 = search f dom2 

Result_glue ( j , false, cl, c2) 

If the inequality f(x) < holds on D, then the algorithm (applied to / and D) 
will return a solution certificate which does not contain Result_f alse nodes (of 
course, the real algorithm could fail due to numerical instabilities and round- 
ing errors). A solution certificate does not contain any explicit information 
about subdomains for which verification must be performed. All subdomains 
can be restored from a solution certificate and the initial domain D. For each 
Result_glue(j , false, cl, c2) node, it is necessary to split the domain in 
two halves along the j-th coordinate. The second argument is the convexity flag. 
If it is true, then the current domain must be restricted to its left and right 
boundaries along the j-th coordinate. For new subdomains, the node contains 
their solution certificates: cl and c2. The domain also has to be modified for 
Result_mono nodes. Each node of this type contains a list of indices and boolean 
parameters (packed in mono_status record) which indicate for which partial 
derivatives the monotonicity argument should be applied; boolean parameters 
determine if the corresponding partial derivatives are positive or negative. 

The simplified algorithm never returns nodes of type Result_pass_mono. 
The real solution certificate search algorithm is a little more complicated. Every 
time when monotonicity argument is applied, it checks if the restricted domain 
is on the boundary of the original domain or not (the original domain is an 
argument of the algorithm). If the restricted domain is not on the boundary of 
the original domain, then Result_pass_mono will be returned. 

If a solution certificate contains nodes of type Result_pass_mono, then it 
is necessary to transform such a certificate to get new certificates which can be 
formally verified. Indeed, suppose we have a Result_pass_mono node and the 
corresponding domain is Dk- Result_pass_mono requires to apply the mono- 
tonicity argument to Dk, that is, to restrict this domain to its boundary along 
some coordinate. But it doesn't contain any information on how to verify the 
inequality on the restricted subdomain. We can only claim that there is another 
subdomain Dj (corresponding to some other node of a solution certificate) such 
that the restriction of Dk is a subset of Dj. In other words, to verify the inequal- 
ity on Dfc, we first need to find Dj such that the restriction of Dk is a subset of 
Dj and such that the inequality can be verified on Dj. To solve this problem, 
we transform a given solution certificate into a list of solution certificates and 
subdomains for which these new solution certificates work. Each solution cer- 
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tificate in the list may refer to previous solution certificates with Result_ref . 
The last solution certificate in the list corresponds to the original domain. The 
transformation algorithm is the following 

let transform certificate acc = 

let sub_certs = {find all maximal sub-certificates 

which does not contain Result_pass_mono} 
if {sub_certs contains certificate} then 

{add certificate to acc and return acc} 
else 

let sub_certs = {remove certificates consisting of single 

Result_ref from sub_certs} 
let paths = {find paths to sub-certificates in sub_cert} 
let _ = {add sub_certs and the corresponding paths to acc} 
let new_certl = {replace all sub_certs in certificate 

with references} 
let new_cert2 = {replace Result_pass_mono nodes in new_certl 

if they can be verified using subdomains 

defined by paths in acc} 
transform new_cert2 acc 

This algorithm maintains a list acc of solution certificates which do not contain 
nodes of type Result_pass_mono. The list also contains paths to subdomains 
corresponding to certificates. Each path is a list of pairs and it can be used 
to construct the corresponding subdomain starting from the original domain. 
Each pair is one of (" 1 " , i),("r", i),("ml", i),or("mr", i) where lis an 
index. "1" and "r" labels correspond to left and right subdomains after splitting, 
"ml" and "mr" correspond to left and right restricted subdomains. The index i 
specifies the coordinate along which the operation must be performed. When a 
reference node Result_ref is generated for a sub-certificate at the j-th position 
in the accumulator list acc, then the argument of Result_ref is j. 

3 Formal Verification 

The first step of developing a formal verification procedure is formalization of 
all necessary theories involving the multivariate Taylor theorem and related top- 
ics. Standard HOL Light libraries contain a formalization of Euclidean vector 
space [5D] and define general Frechet derivatives and Jacobian matrices for work- 
ing with first-order partial derivatives. Also, HOL Light contains the general 
univariate Taylor theorem. We formalized all other important results includ- 
ing the theory of partial derivatives, the equality of second-order mixed partial 
derivatives, the multivariate Taylor formula with the second-order error term. 

The main formal verification step is to compute a formal Taylor interval 
approximation for a function / : M" 4lona given domain D = [a, b] . Each 
formal Taylor approximation includes the following data: a point y = (a+b)/2 € 
-D, a vector w which estimates the width of the domain and has the property 
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w > max{b — y, y — a} (all operations are componentwise), an interval bound 
°f /(y) € [f l °, f ], interval bounds of partial derivatives fi(y) € [//°, //"] = di 
for all i = 1, . . . , n, interval bounds of second-order partial derivatives on the 
full domain /y(x) € [/y > /If ] = ^ij f° r an * = l,...,7i, j < i, and x e £>. 
Based on this data, an interval approximation of /(x) and its partial derivatives 
on D can be computed. For instance, the following theorem gives an interval 
approximation of /(x) when n = 2 

toi|di| + 102 1 da | < b A wi(wi|di.i|) + 102(^21^2,2! + 2ioi|d2,i|) < e 
A b + 2 _1 e < a A I < f° - a A f hi + a<h 
=> (Vx, xe[a,b] =j. /(x)e 

(Here, = /f ]| = max{-/?°, /«}.) 

Formal computations of Taylor interval approximations require a lot of ba- 
sic arithmetic operations. We implemented efficient procedures for working with 
natural numbers and real numbers in HOL Light. Our implementation of for- 
mal natural number arithmetic works with numerals in an arbitrary fixed base. 
Our implementation improves the performance of standard HOL Light arith- 
metic operations with natural numbers by the factor log 2 b (where b is a fixed 
base constant) for linear operations (in the size of input arguments) and by 
the factor (log 2 b) 2 for quadratic operations. We approximate real numbers with 
floating-point numbers which have fixed precision of the mantissa. This preci- 
sion is controlled by an informal parameter which specifies the maximal number 
of digits in results of formal floating-point operations. All formal floating-point 
operations yield inequality theorems which approximate real results from above 
or below. Formal verification procedures are based on our implementation of in- 
terval arithmetic which works with formal floating-point numbers. We also cache 
results of all basic arithmetic operations to improve the performance of formal 
computations. 

A description of our formal verification procedure is technical and it can 
be found in [3]. Here we give an example which demonstrates how the formal 
verification procedure works. Let f(x) — x — 2 and we want to prove f(x) < 
for x G [—1,1], Suppose that we have the following solution certificate 

Result_glue {1, false, 

Result_pass_mono {[1, incr]}, 
Result_mono {[1, incr] , 
Result_pass 

} 

} 

This certificate tells that the inequality may be verified by first splitting the 
domain into two subdomains along the first (and the only) variable; then the 
left branch follows from some other formal verification result by monotonicity 
(Result_pass_mono); the right branch follows by the monotonicity argument 
and by a direct verification. This certificate cannot be used directly for a formal 
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verification since we don't know how the left branch is proved. The first step 
is to transform this certificate into a list of certificate such that each certificate 
can be verified on subdomains specified by the corresponding paths. We get the 
following list of certificates 

[ 

["r", 1], Result_mono {[1], Result_pass} ; 

["1", 1], Result_mono {[1], Result_ref {0»; 

[] , Result_glue {1, false, Result_ref {1}, Result_ref {0}} 

] 

The first element corresponds to the right branch of the original Result_glue 
(hence, the path is ["r " , 1] which means subdivision along the first variable and 
taking the right subdomain). A formal verification of the first certificate yields 
h x e [0, 1] => f(x) < 0. The second result is the transformed left branch of 
the original certificate. This transformed result explicitly refers to the first proved 
result (Result_ref {0}). Now it can be verified. Indeed, Result_ref {0} yields 
hi£ [0, 0] =>■ f(x) < (since [0, 0] C [0, 1] and we have the theorem for [0, 1] 
which we use in the reference). Then the monotonicity argument 

(Vx, x G [-1,0] < f'(x)) A (Vx,x G [0,0] f(x) < 0) 

=> (Vx,i€ [-1,0] f(x) <0) 

yields hie [ — 1,0] => f(x) < 0. The last entry of the list refers to two proved 
results and glues them together in the right order: 

(Vx, x G [-1,0] => f(x) < 0) A (Vx, x G [0, 1] =► /(a;) < 0) 

=> (Vx, a: G [-1, 1] => /(x) < 0) 

4 Optimization Techniques and Future Work 
4.1 Implemented Optimization Techniques 

There are several optimization techniques for formal verification of nonlinear 
inequalities. One of the basic ideas of optimization techniques is to compute extra 
information for solution certificates which helps to increase the performance of 
formal verification procedures. 

The first optimization technique is to try out direct interval evaluations with- 
out Taylor approximations. If a direct interval evaluation yields a desired result 
(verification of an inequality on a domain or verification of a monotonicity prop- 
erty), then a special flag is added to the corresponding certificate node. This 
flag indicates that it is not necessary to compute full formal Taylor interval and 
it is enough to evaluate the function directly with interval arithmetic (which is 
faster). These flags are added to Result_pass and Result_mono nodes. 

An important optimization procedure is to find the best (minimal) precision 
which is sufficient for verifying an inequality on each subdomain. We have a spe- 
cial informal implementation of all arithmetic, Taylor interval evaluation, and 
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verification functions which compute results in the same way as the correspond- 
ing formal functions. This informal implementation is much simpler (because it 
does not prove anything) and faster (since it does not prove anything and all 
basic arithmetic is done by native machine arithmetic) . For a given solution cer- 
tificate, we run a modified informal verification procedure which tests different 
precision parameter values for each certificate node. It finds out the smallest 
value of the precision parameter for each certificate node such that the veri- 
fication result is correct. Then a modified solution certificate is created where 
each node contains information about the best precision parameter. A special 
version of the formal verification procedure accepts this new certificate and ver- 
ifies the inequality with computed precision parameters. This adaptive precision 
technique increases the performance of formal arithmetic computations. 

4.2 Future Work 

There are some optimization ideas which are not implemented yet. The first 
idea is to stop computations of bounds of second-order partial derivatives for 
Taylor intervals at some point and reuse bounds computed for larger domains. 
The error term in Taylor approximation depends quadratically on the size of a 
domain. When domains are sufficiently small, good approximations of bounds 
of second-order partial derivatives are not very important. This strategy could 
save quite a lot of verification time since formal evaluation of second-order partial 
derivative bounds is expensive for many functions. 

Another unimplemented optimization is verification of sets of similar inequal- 
ities on the same domain. The idea is to reuse results of formal computations as 
much as possible for inequalities which have a similar structure and which are 
verified on the same domains. The basic strategy is to find a subdivision of the 
domain into subdomains such that each inequality in the set can be completely 
verified on each subdomain. If inequalities in the set share a lot of similar com- 
putations, then the verification of all inequalities in the set could be almost as 
fast as the verification of the most difficult inequality in the set. This approach 
should work well for Flyspeck inequalities where many inequalities share the 
same sub-expressions and domains. 

An important unimplemented feature is verification of disjunctions of in- 
equalities. That is, we want to verify inequalities in the form 

Vx g D => /x(x) < V / 2 (x) < V ... V / fe (x) < 0. 

This form is equivalent to an inequality on a non-rectangular domain since 

(P(x) => /(x) < V 3 (x) < 0) <=> (P(x) A < 5 (x) => /(x) < 0). 

Many Flyspeck inequalities are in this form. A formal verification of these in- 
equalities is simple. It is enough to add indices of functions for which the in- 
equality is satisfied to the corresponding nodes of solution certificates. Then it 
will be only necessary to modify the formal gluing procedure. It should be able 
to combine inequalities for different functions with disjunctions. 
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5 Results and Tests 

This section briefly introduces the implemented verification tool and presents 
some test results for several polynomial and non-polynomial inequalities. We 
also compare the performance of the formal verification tool and the informal 
CH — h verification procedure for Flyspeck nonlinear inequalities. All tests were 
performed on Intel Core i5, 2.67GHz running Ubuntu 9.10 inside Virtual Box 
4.2.0 on a Windows 7 host; the Ocaml version was 3.09.3; the base of arithmetic 
was 200. 

5.1 Overview of the Formal Verification Tool 

A user manual which contains information about the tool and installation in- 
structions is available at [2]. Here, we briefly describe how the tool can be used. 
Suppose we want to verify a polynomial inequality 

< x < a/2 A -Vtt < V < 1 x 2 y-xy i + y 6 + x i -7 > -7.17995. 

v3 

The following HOL Light script solves this problem 

needs "verif ier/m_verif ier_main.hl" ; ; 
open M_verif ier_main; ; 

let ineq = '— &1 / sqrt(&3) <= x A x <= sqrt(&2) 
A — sqrt(pi) <= y A y <= &1 

==> x pow 2 * y - x * y pow 4 + y pow 6 - &7 + x pow 4 
> — #7.17995' ; ; 

let th, stats = verif y_ineq def ault_params 5 ineq; ; 

First two lines of the script load the verification tool. The main verification 
function is called verif y_ineq. It takes 3 arguments. The first argument con- 
tains verification options. In most cases, it is enough to provide default op- 
tions def ault_params. The second parameter specifies the precision of formal 
floating-point operations. The third parameter is the inequality itself given as 
a HOL Light term. The format of this term is simple: it is an implication with 
bounds of variables in the antecedent and an inequality in the consequent. The 
bounds of all variables should be in the form a constant expression < x or 
x < a constant expression. For each variable, upper and lower bounds must 
be given. The inequality must be a strict inequality (< or >). The inequality 
may include sqrt (^/), atn (arctan), and acs (arccos) functions. The constant 
pi (tt) is also allowed. 

The verification function returns a HOL Light theorem and a record with 
some verification information which includes verification time. 



12 



5.2 Polynomial Inequalities 

Here is a list of test polynomial inequalities taken from [16] . 
schwefel 

(xi, x 2 , x 3 ) e [(-io, -io, -io) , (10, io, io)] 

=*> -5.8806 x 10~ 10 < (xi - x\f + (x 2 - l) 2 + {x x - x 2 ) 2 + (x 3 - l) 2 . 
caprasse 

(x 1: x 2 ,x 3 ,x 4 ) G [(-0.5,-0.5,-0.5,-0.5) , (0.5,0.5,0.5,0.5)] 

==> — 3.1801 < — X1X3 + 4x2X3X4 + 4x\X 3 x\ + 2x 2 x\ 
+ Axix 3 + Axl - 10x 2 x 4 - 10x1 + 2. 

— magnetism 

(x 1 ,X 2 ,X3,Xi,X5,X 6 ,X 7 ) G [(-1,-1,-1,-1,-1,-1,-1) ,(1,1,1,1,1,1,1)] 

-0.25001 < x\ + 2x\ + 2x\ + 2x\ + 2x\ + 2x\ + 2x 2 7 - x x . 

— heart 

(xi, x 2 ,x 3 , Xi, x 5 ,x e ,x 7l Xg) G [(-0.1, 0.4, -0.7, -0.7, 0.1, -0.1, -0.3, -1.1) , 

(0.4, 1, -0.4, 0.4, 0.2, 0.2, 1.1, -0.3)] 
=$> — 1.7435 < — xixl + 3xiXqx 2 — x 3 Xj + 3x 3 xjxl — x 2 x§ 
+ 3x2^5^8 — x4Xg + 3x4Xsx 2 — 0.9563453. 

Performance test results are given in Table [TJ The column total time contains 
total verification time, the column formal contains time of the formal verification 
only. The formal verification excludes all preliminary processes: computations 
of partial derivatives, search of solution certificates, adaptive precision search 
procedures. The last two columns show the corresponding verification time for 
the PVS procedure which is based on the Bernstein polynomial technique and 
described in [16]. 

Test results show that our procedure is faster than the Bernstein polynomial 
procedure in PVS for most cases. On the other hand, there still exist cases where 
our tool is slower. 

5.3 Flyspeck Inequalities 

The Flyspeck project contains 985 nonlinear inequalities. The informal verifica- 
tion program written in C++ can verify all these inequalities in about 10 hours. 
Most inequalities (683) can be informally verified in less than 10 seconds. Almost 
all inequalities (911) can be informally verified in less than 100 seconds. 

We tested our formal verification procedure on several simple Flyspeck in- 
equalities. Some of these inequalities are listed below. Table [2] contains perfor- 
mance test results for these inequalities. The column total time contains total 



Table 1. Polynomial inequalities 
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Inequality ID total time (s) formal (s) total PVS (s) formal PVS (s) 

schwefel 26.33 19.15 10.23 3.18 

caprasse 8.06 1.29 11.44 1.25 

magnetism 7.01 1.35 160.44 82.87 

heart 17.30 1.28 79.68 26.14 



formal verification time, the column formal contains time of the formal verifi- 
cation only (excluding all preliminary processes) , the column informal contains 
informal verification time by the C++ program. 

A(Xl, . . . , X 6 ) — X\X±{— Xi + X2 + x 3 — x 4 + x 5 + x e ) 
+X 2 X 5 (xi - X 2 + X3 + X 4 — X5 + X S ) 
+X 3 X S (XI + X 2 - X 3 + Xi + £5 - x e ) 
— X 2 X 3 X4 - XiX 3 X 5 - XiX 2 X e - X4X 5 X e , 

dA 

0x4 

, s 7T / -A A (X 1 ,...,X 6 ) \ 

dm x (xi , . . . , xe) = - - arctan 



2 AxiA{xx, . . . ,x e ) J 

dihy (yi,...,y 6 ) = dih x (yf,...,y%). 
4717061266 

4 < Xi < 6.3504 A(xi,X2,X3,X4,X5,x 6 ) > 0. 

- 7067938795 

4 < x lt2 ,3 < 6.3504, x 4 = 4, 3.01 2 < x 5j6 < 3.24 2 
^dih^ (x u ...,x 6 ) -tt/2 + 0.46 < 0. 

3318775219 

2 < Vi < 2.52 < dih y (y x , . . . , y 6 ) - 1.629 - 0.763(y 4 - 2.52) 

- 0.315(yi - 2.0) + 0.414(y 2 + y 3 + y 5 + y 6 - 8.0). 

We also found formal verification time of all Flyspeck inequalities which 
can be verified in less than one second and which do not contain disjunctions 
of inequalities. Table [3] summarizes test results. The columns total time and 
formal show total formal verification time and formal verification time without 
preliminary processes for the corresponding sets of inequalities. The column 
informal contains informal verification time for the same sets of inequalities. 

Test results show that our formal verification procedure is about 2000-4000 
times slower than the informal verification program. 
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Table 2. Fly speck inequalities 



Inequality ID 


total time (s) 


formal (s) 


informal (s) 


2485876245a 


5.530 


0.058 





4559601669b 


4.679 


0.048 





4717061266 


27.1 


0.250 





5512912661 


8.860 


0.086 


0.002 


6096597438a 


0.071 


0.071 





6843920790 


2.824 


0.076 


0.002 


SDCCMGA b 


9.012 


0.949 


0.006 


7067938795 


431 


387 


0.070 


5490182221 


1726 


1533 


0.375 


3318775219 


17091 


15226 


8.000 



Table 3. Flyspeck inequalities which can be informally verified in 1 second 



time interval (ms) 


# inequalities 


total time (s) 


formal (s) 


informal (s) 





57 


423 


2.159 





1-100 


35 


5546 


3854 


1.134 


101-500 


11 


12098 


10451 


3.944 


501-700 


14 


32065 


28705 


8.423 


701-1000 


9 


19040 


16688 


7.274 
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